Code-Based Cryptography Key Attacks 0 I. Márquez-Corbella
Code-Based CryptographyKey Attacks
0I. Márquez-Corbella
Code-Based Cryptography
1. Error-Correcting Codes and Cryptography2. McEliece Cryptosystem3. Message Attacks (ISD)4. Key Attacks5. Other Cryptographic Constructions Relying on Coding Theory
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY
4. Key Attacks
1. Introduction2. Support Splitting Algorithm3. Distinguisher for GRS codes4. Attack against subcodes of GRS codes5. Error-Correcting Pairs6. Attack against GRS codes7. Attack against Reed-Muller codes8. Attack against Algebraic Geometry codes9. Goppa codes still resist
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY
The McEliece CryptosystemConsider
(F
)family of codes
with an efficientdecoding algorithm
Indistinguishablefrom random codes
Key Generation Algorithm:
1. G ∈ Fk×nq a generator matrix for C ∈ F
2. AC an “Efficient” decoding algorithm for C which corrects up to t errors.
Public Key: Kpub = (G, t)Private Key: Ksecret = (AC)
Parameters Key size Security level[1024,524,101]2 67 ko 262
[2048,1608,48]2 412 ko 296
1
The McEliece CryptosystemConsider
(F
)family of codes
with an efficientdecoding algorithm
Indistinguishablefrom random codes
Key Generation Algorithm:
1. G ∈ Fk×nq a generator matrix for C ∈ F
2. AC an “Efficient” decoding algorithm for C which corrects up to t errors.
Public Key: Kpub = (G, t)Private Key: Ksecret = (AC)
Parameters Key size Security level[1024,524,101]2 67 ko 262
[2048,1608,48]2 412 ko 296
1
The McEliece CryptosystemConsider
(F
)family of codes
with an efficientdecoding algorithm
Indistinguishablefrom random codes
Key Generation Algorithm:
1. G ∈ Fk×nq a generator matrix for C ∈ F
2. AC an “Efficient” decoding algorithm for C which corrects up to t errors.
Public Key: Kpub = (G, t)Private Key: Ksecret = (AC)
Parameters Key size Security level[1024,524,101]2 67 ko 262
[2048,1608,48]2 412 ko 296
1
The McEliece CryptosystemConsider
(F
)family of codes
with an efficientdecoding algorithm
Indistinguishablefrom random codes
Key Generation Algorithm:
1. G ∈ Fk×nq a generator matrix for C ∈ F
2. AC an “Efficient” decoding algorithm for C which corrects up to t errors.
Public Key: Kpub = (G, t)Private Key: Ksecret = (AC)
Parameters Key size Security level[1024,524,101]2 67 ko 262
[2048,1608,48]2 412 ko 296
1
The McEliece CryptosystemConsider
(F
)family of codes
with an efficientdecoding algorithm
Indistinguishablefrom random codes
Key Generation Algorithm:
1. G ∈ Fk×nq a generator matrix for C ∈ F
2. AC an “Efficient” decoding algorithm for C which corrects up to t errors.
Public Key: Kpub = (G, t)Private Key: Ksecret = (AC)
Parameters Key size Security level[1024,524,101]2 67 ko 262
[2048,1608,48]2 412 ko 296
1
The McEliece CryptosystemEncryption Algorithm:Encrypt a message m ∈ Fk
q as
ENCRYPT(m) = mG + e = y
where e is a random error vector of weight at most t .
Decryption Algorithm:Using Ksecret , the receiver obtain m.
DECRYPT(y) = AC(y) = m
2
The McEliece CryptosystemEncryption Algorithm:Encrypt a message m ∈ Fk
q as
ENCRYPT(m) = mG + e = y
where e is a random error vector of weight at most t .
Decryption Algorithm:Using Ksecret , the receiver obtain m.
DECRYPT(y) = AC(y) = m
2
Which code Family? - GRS codes
â Generalized Reed-Solomon codesH. Niederreiter.Knapsack-type cryptosystems and algebraic coding theory.Problems of Control and Information Theory, 15(2):159−166, 1986.
Parameters Key size Security level[256,128,129]256 67 ko 295
7Attack against this proposal:V. M. Sidelnikov and S. O. Shestakov.On the insecurity of cryptosystems based on generalized Reed-Solomon codes.Discrete Math. Appl., 2:439−444, 1992.
3
Which code Family? - GRS codes
â Generalized Reed-Solomon codesH. Niederreiter.Knapsack-type cryptosystems and algebraic coding theory.Problems of Control and Information Theory, 15(2):159−166, 1986.
Parameters Key size Security level[256,128,129]256 67 ko 295
7Attack against this proposal:V. M. Sidelnikov and S. O. Shestakov.On the insecurity of cryptosystems based on generalized Reed-Solomon codes.Discrete Math. Appl., 2:439−444, 1992.
3
Which code Family? - Subcodes of GRS codes
â Subcodes of GRS codesT. Berger and P. Loidreau.How to mask the structure of codes for a cryptographic use.Des. Codes Cryptogr., 35:63−79, 2005.
7Attack against this proposal:C. Wieschebrink.Cryptanalysis of the Niederreiter public key scheme based on GRS subcodes.In Post-Quantum Cryptography, volume 6061 of Lecture Notes in Comput. Sci., pages 61−72, 2010.
4
Which code Family? - Subcodes of GRS codes
â Subcodes of GRS codesT. Berger and P. Loidreau.How to mask the structure of codes for a cryptographic use.Des. Codes Cryptogr., 35:63−79, 2005.
7Attack against this proposal:C. Wieschebrink.Cryptanalysis of the Niederreiter public key scheme based on GRS subcodes.In Post-Quantum Cryptography, volume 6061 of Lecture Notes in Comput. Sci., pages 61−72, 2010.
4
Which code Family? - Reed-Muller codesâ Reed-Muller codes
V. Sidelnikov.A public-key cryptosytem based on Reed-Muller codes.Discrete Math. Appl., 4(3):191−207, 1994.
Parameters Key size Security level[1024,176,128]2 22.5 ko 272
[2048,232,256]2 59,4 ko 293
7Attacks against this proposal:L. Minder and A. Shokrollahi.Cryptanalysis of the Sidelnikov cryptosystem.In EUROCRYPT 2007, pages 347−360, 2007.
I. V. Chizhov, and M. A. Borodin.The failure of McEliece PKC based on Reed-Muller codes.IACR Cryptology ePrint Archive, 287, 2013.
5
Which code Family? - Reed-Muller codesâ Reed-Muller codes
V. Sidelnikov.A public-key cryptosytem based on Reed-Muller codes.Discrete Math. Appl., 4(3):191−207, 1994.
Parameters Key size Security level[1024,176,128]2 22.5 ko 272
[2048,232,256]2 59,4 ko 293
7Attacks against this proposal:L. Minder and A. Shokrollahi.Cryptanalysis of the Sidelnikov cryptosystem.In EUROCRYPT 2007, pages 347−360, 2007.
I. V. Chizhov, and M. A. Borodin.The failure of McEliece PKC based on Reed-Muller codes.IACR Cryptology ePrint Archive, 287, 2013.
5
Which code Family? - AG codesâ Algebraic Geometry codes
H. Janwa and O. Moreno.McEliece public crypto system using algebraic-geometric codes.Designs, Codes and Cryptography, 1996.
Parameters Key size Security level[171,109,61]128 16 ko 266
7Attacks against this proposal:C. Faure and L. Minder.Cryptanalysis of the McEliece cryptosystem over hyperelliptic codes.Proceedings 11th Int. Workshop on Algebraic and Combinatorial Coding Theory, 2008.
A. Couvreur, I. Márquez-Corbella and R. Pellikaan.A polynomial time attack against Algebraic Geometry code based Public-Key Cryptosystems.ISIT 2014, 1446−1450, 2014.
6
Which code Family? - AG codesâ Algebraic Geometry codes
H. Janwa and O. Moreno.McEliece public crypto system using algebraic-geometric codes.Designs, Codes and Cryptography, 1996.
Parameters Key size Security level[171,109,61]128 16 ko 266
7Attacks against this proposal:C. Faure and L. Minder.Cryptanalysis of the McEliece cryptosystem over hyperelliptic codes.Proceedings 11th Int. Workshop on Algebraic and Combinatorial Coding Theory, 2008.
A. Couvreur, I. Márquez-Corbella and R. Pellikaan.A polynomial time attack against Algebraic Geometry code based Public-Key Cryptosystems.ISIT 2014, 1446−1450, 2014.
6
Which code Family? - Concatenated codes
â Concatenated codesH. Niederreiter.Knapsack-type cryptosystems and algebraic coding theory.Problems of Control and Information Theory, 15(2):159−166, 1986.
7Attack against this proposal:N. Sendrier.On the concatenated structure of a linear code.AAECC, 9(3):221−242, 1998
7
Which code Family? - Concatenated codes
â Concatenated codesH. Niederreiter.Knapsack-type cryptosystems and algebraic coding theory.Problems of Control and Information Theory, 15(2):159−166, 1986.
7Attack against this proposal:N. Sendrier.On the concatenated structure of a linear code.AAECC, 9(3):221−242, 1998
7
Which code Family? - Convolutional codes
â Convolutional codesC. Löndahl and T. Johansson.A new version of McEliece PKC based on convolutional codes.ICICS, 15(2): 461-470, 2012.
7Attack against this proposal:G. Landais and J.P. TillichAn efficient attack of a McEliece cryptosystem variant based on convolutional codes.Post-Quantum Cryptography, LNCS, vol. 7932, 102-117, 2013.
8
Which code Family? - Convolutional codes
â Convolutional codesC. Löndahl and T. Johansson.A new version of McEliece PKC based on convolutional codes.ICICS, 15(2): 461-470, 2012.
7Attack against this proposal:G. Landais and J.P. TillichAn efficient attack of a McEliece cryptosystem variant based on convolutional codes.Post-Quantum Cryptography, LNCS, vol. 7932, 102-117, 2013.
8
Which code Family? - Binary Goppa codes
â Binary Goppa codesR. J. McEliece.A public-key cryptosystem based on algebraic coding theory.DSN Progress Report, 42-44:114−116, 1978.
Parameters Key size Security level[1024,524,101]2 67 ko 262
[2048,1608,48]2 412 ko 296
4McEliece scheme with Goppa codeshas resisted cryptanalysis so far!
9
Which code Family? - Binary Goppa codes
â Binary Goppa codesR. J. McEliece.A public-key cryptosystem based on algebraic coding theory.DSN Progress Report, 42-44:114−116, 1978.
Parameters Key size Security level[1024,524,101]2 67 ko 262
[2048,1608,48]2 412 ko 296
4McEliece scheme with Goppa codeshas resisted cryptanalysis so far!
9
Subcodesof AG codesSubcodes
of AG codesSubcodes
of GRS codesSubcodes
of GRS codes
Alternantcodes
Goppacodes
AGcodes
AGcodes
GRScodes
GRScodes
Reed Mullercodes
Reed-Mullercodes
Broken
Unbroken
Subcodes of GRSof small dimension
(Unbroken)New results inWild Goppa codes(Broken)
10
Subcodesof AG codesSubcodes
of AG codesSubcodes
of GRS codesSubcodes
of GRS codes
Alternantcodes
Goppacodes
AGcodes
AGcodes
GRScodes
GRScodes
Reed Mullercodes
Reed-Mullercodes
Broken
Unbroken
Subcodes of GRSof small dimension
(Unbroken)New results inWild Goppa codes(Broken)
10
Subcodesof AG codesSubcodes
of AG codes
Subcodesof GRS codes
Subcodesof GRS codes
Alternantcodes
Goppacodes
AGcodes
AGcodes
GRScodes
GRScodes
Reed Mullercodes
Reed-Mullercodes
Broken
Unbroken
Subcodes of GRSof small dimension
(Unbroken)New results inWild Goppa codes(Broken)
10
Subcodesof AG codes
Subcodesof AG codes
Subcodesof GRS codes
Subcodesof GRS codes
Alternantcodes
Goppacodes
AGcodes
AGcodes
GRScodes
GRScodes
Reed Mullercodes
Reed-Mullercodes
Broken
Unbroken
Subcodes of GRSof small dimension
(Unbroken)New results inWild Goppa codes(Broken)
10
Subcodesof AG codes
Subcodesof AG codes
Subcodesof GRS codes
Subcodesof GRS codes
Alternantcodes
Goppacodes
AGcodes
AGcodes
GRScodesGRScodes
Reed Mullercodes
Reed-Mullercodes
Broken
Unbroken
Subcodes of GRSof small dimension
(Unbroken)
New results inWild Goppa codes(Broken)
10
Subcodesof AG codes
Subcodesof AG codes
Subcodesof GRS codes
Subcodesof GRS codes
Alternantcodes
Goppacodes
AGcodes
AGcodes
GRScodesGRScodes
Reed Mullercodes
Reed-Mullercodes
Broken
Unbroken
Subcodes of GRSof small dimension
(Unbroken)New results inWild Goppa codes(Broken)
10
4. Key Attacks
1. Introduction2. Support Splitting Algorithm3. Distinguisher for GRS codes4. Attack against subcodes of GRS codes5. Error-Correcting Pairs6. Attack against GRS codes7. Attack against Reed-Muller codes8. Attack against Algebraic Geometry codes9. Goppa codes still resist
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY